Simplify steps needed for stepped-up SingPass security

Posed photo of a person looking at SingPass website. PHOTO: ST FILE

SingPass users take note: You have until the end of June next year to register for two-factor authentication (2FA), which will better secure your sensitive e-government transactions.

If you do not register by then, you will not be able to transact with the Central Provident Fund Board (CPF), Inland Revenue Authority of Singapore (Iras) and Ministry of Manpower.

The 2FA process involves the use of a one-time password (OTP) - randomly generated and delivered via SMS or a token that looks like a mini-calculator. The OTP must be entered in addition to the usual static password and NRIC number when you log in to SingPass.

The 2FA features were added in July, one year after a massive security breach involving more than 1,500 SingPass accounts. Three of the breached accounts were used to make fraudulent applications for work passes.

But right now, 2FA use is saddled with a tedious registration process. There is a real risk that not all the 3.3 million SingPass users will be able to meet the sign-up deadline.

As the deadline looms, it seems to me that more must be done to remove these hurdles. Otherwise, there will be a backlash if the public cannot access their CPF or Iras accounts once 2FA kicks in.

I have two suggestions.

The first is to streamline the process to register for 2FA further.

The second is to do away with a static password, which people often forget.

First, streamline the registration.

The Straits Times described the registration for 2FA as an obstacle course in an article on Sept 23, and reported that sign-ups were "low", in the five-digit range.

The Infocomm Development Authority (IDA) has since said it would streamline the process by year-end, cutting out the last of three steps currently required in registration.

Currently, the three steps to get your SingPass ready for 2FA are:

1. Update your mobile number or e-mail address on the SingPass website, administered by IDA.

Next, go to the website of Assurity Trusted Solutions (the IDA subsidiary that supplies the OTP solution) and choose whether you wish to receive the OTP via SMS or use the calculator-like token.

2. Wait for up to five days to receive a PIN by snail mail. Then, go to Assurity's website and enter the PIN and your NRIC number to activate the OTP feature.

Next, create a new pair of National Authentication Framework (NAF) username and static password to administer the way to receive your OTP. For instance, an NAF account is needed to allow users to suspend a lost token, or update their mobile number.

3. Visit SingPass' website to link the NAF account to your existing SingPass account to start using the OTP feature.

If your eyes glazed over just reading this multi-step list, you are not alone. IDA has said that by year-end, it will automatically link people's NAF account to their SingPass account, so they don't have to do so manually.


But IDA could simplify the process further. One step should be all it takes to get people on 2FA.

Here's what it can do:

First, all SingPass users should be automatically registered for 2FA, and receive a PIN by snail mail. This means that SMS will be the default delivery mechanism for the OTP.

A version of this article appeared in the print edition of The Straits Times on October 28, 2015, with the headline 'Simplify steps needed for stepped-up SingPass security'. Subscribe